APPENDIX 2 



/** 

* IPS multithreaded error (rule) processing engine 

* @file error^processor.h 

* ©author jmccaskey 
*/ 

#ifndef ERROR_PROCESSOR_H 
#define ERROR_PROCESSOR_H 

/** 

* Function to process an error node as generated by the rule code. 

* This function should be called as a thread. It is responsible for 

* deciding whether or not an error log entry should be created, 

* creating it if so. and updating the escalation level for rule_monitor table 

* entries. 
*/ 

void error_processor(); 
#include "error_processor.c" 
#endif 



/** 

* IPS multithreaded event processing engine 

* Contains functions responsible for errorjog inserts 

* and rule_monitor table updates. 

* @file error_processor.c 

* ©author jmccaskey 
*/ 

/** 

* Function to process an error node as generated by the rule code. 

* This function should be called as a thread. It is responsible for 

* deciding whether or not an error log entry should be created, 

* creating it if so, and updating the escalation level for rule_monitor table 

* entries. 
*/ 

void error_processor() { 

MYSQL mysql_connection; 
MYSQL^RES *result; 
MYSQL_ROW row; 
char *sqLquery; 
int n; 

int send_notification = 1 ; 

mysql_threadjnit(); 
//try the mysql connection 
mysqlJnit(&mysqLconnection); 

if(!mysqLreal_connect(&mysqLconnection, db_host, db_user, db_pass, db_db, 0, NULL, 0)){ 
flockfile(stderr); 

fprintf(stderr, "%s: Failed to connect to database: Error: %s\n", timestamp, 
mysql_error(&mysqLconnection)); 
funlockfite(stderr); 
pthread_exit(NULL); 

} 

//try to select the database 

if(mysqLselect_db(&mysql_connection, db_db)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed to select database: Error: %s\n", timestamp, 
mysqLerror(&mysql_connection)); 
funlockfile(stderr); 
pthread_exit(NULL); 

} 

//infinite loop to be exited within when polling is done and nothing is left in the queue 

error_node *errnode; 

while(1){ 

//default back to not sending a notification each loop 
send_notification = 1 ; 

pthread_mutexJock(&error_work_queue.mutex); 
while(error_work_queue.c_queue,head==NULL) { 
pthread_mutexJock(&polling_done_mutex); 
if(polling_done==1) { 

pthread_mutex_unlock(&polling_done_mutex); 

pthread_mutex_unlock(&error_work_queue.mutex); 

//we are finished with everything in the queue and nothing more is 



coming... time to die 

mysqLclose(&mysql_connection); 
mysqLtliread_end{); 
pthread_exit{NULL); 
} else { 

pthread_mutex_unlock(&polling_done_mutex); 

//more errors may be coming... wait for them... 
pthread_cond_wait(&error_work_queue.cond. 
&error_work_queue.mutex); //now unlocked... reaquired after we pass 

} 

} 



#ifdef DEBUG 



#endif 



errnode = (error_node *) queue_get{&error_work_queue.c_queue); 
pthread_mutex_unlock(&error_work_queue.mutex); 

flockfile(stdout); 

fprintf(stdout, "%s\n", errnode->message); 
funlockfile(stdout); 



assert(sqLquery = malloc(800)); 
n=snprintf{sql_query, 800, "SELECT current_escalation FROM rule_monitor WHERE rulejd = 

%d " 

"AND rule_serverjd = %d AND monitorjd = %d AND monitor_serverJd = %d", 
errnode->ruleJd, errnode->rule_serverJd, errnode->monitorJd, errnode- 
>monitor_serverJd); 

//execute query for devices 

if(mysql_real_query(&mysql_connection, sql_query, n)!=0){ 
flockfile(stderr); 

fprintf{stderr, "%s: Failed while attempting to select old escalation level: Error: %s\n", 
timestamp, mysql_error(&mysql_connection)); 
funlockfile(stderr); 
free(sql_query); 
} else { 

free(sqLquery); 

} 

//store results from last query into result 
result=mysqLstore_result(&mysqLconnection); 

int escalation = 0; 
row=mysql_fetch_row(result); 
jf(row==NULL) { 
flockfile(stderr); 

fprintf(stderr, "%s: Couldn't fetch old escalation, asuming it was zero for this 
single rule.. An", timestamp); 

funlockfile(stderr); 
mysql_free_result(result); 
} else { 

escalation = atoi{row[0]); 

} 

//now we have the row... 
if(errnode->failed == 0) { 
if(escalation > 0) { 

assert(sqLquery = malloc(800)); 



n=snprintf(sqLquery. 800, "UPDATE aile^monitor SET 
current_escalation = 0 WHERE rulejd = %d " 

"AND rule_serverjd = %d AND monitorjd = %d AND 

monitor_serverJd = %d". 

errnode->ruleJd, errnode->rule_serverJd, errnode- 

> mon itor Jd , errnode-> mon i tor_server Jd ) ; 

if(mysql_reaLquery(&mysql_connection, sqLquery. n)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed while attempting to reset escalation: Error: %s\n". 
tinnestamp, nnysqLerror(&mysqLconnection)); 

funlockfile(stderr); 

} 

free(sql_query); 
} else { 

//this is an ok, and the rule was already ok last period, so don't do 

anything with it 

send_notification = 0; 

} 

} else if(errnode->failed == 1) { 

assert(sql_query = malloc(800)); 

n=snprintf(sql_query, 800, "UPDATE rule^monitor SET current_escalation = %d 

WHERE rulejd = %d " 

"AND rule__serverjd = %d AND monitorjd = %d AND monitor_serverJd = 

%d", esca!ation+5, 

errnode->ruleJd, errnode->rule_serverJd, errnode- 

>monitorJd, errnode->monitor_serverJd); 
#ifdef DEBUG 

flockfile(stdout); 

fprintf(stdout, "%s\n", sqLquery); 
funlockfile(stdout); 

#endif 

escalation += 5; 

if(mysql_real_query(&mysql_connection, sql_query, n)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed while attempting to increase escalation: Error: %s\n", 
timestamp, mysqLerror(&mysqLconnection)); 

funlockfile{stderr); 

} 

free(sqLquery); 
} 

if(send_notification == 1) { 
char verdict[6]; 
if(errnode->failed == 1) 

strcpy(verdict, "ERROR"); 

else 

strcpy(verdict, "OK"); 

assert(sql_query = malloc(IOOO)); 
n=snprintf(sqLquery, 1000, "INSERT INTO errorjog " 

"(errorJog_serverJd, rulejd, rule_serverjd, monitorjd, 

monitor_serverJd, " 

"msg, timestamp, verdict, escalation, notified) " 
"VALUES (%d, %d, %d. %d. %d, 'yos', 'yos', '%s\ %d. 0)", 
serverjd. errnode->ruleJd, errnode->rule_serverJd, errnode- 
>monitorJd, errnode->monitor_serverJd, 

errnode->message, timestamp, verdict, escalation); 



#ifdef DEBUG 

flockfile(stdout); 

fprintf(stdout, "%s\n". sqLquery); 
funlockfile(stdout); 

#endif 

if(mysqLreaLquery(&mysqLconnection, sql_query, n)!=0) { 
flockfile(stderr); 

fprintf(stderr. "%s: Failed while attempting to insert into errorjog: Error: %s\n", 
timestamp, mysql_error(&mysqLconnection)); 

funlockfile(stderr); 

} 

free(sql_query); 
} 

mysqLfree_result{result); 
free(errnode); 

} 

} 



